provide latest OS root certificates via port?

Fri Oct 29 15:09:45 UTC 2021

On 2021-10-29 at 07:23:38 UTC-0400 (Fri, 29 Oct 2021 07:23:38 -0400)
Richard L. Hamilton <rlhamil at smart.net>
is rumored to have said:

> You're (probably - seems plausible but I haven't verified it myself) 
> right that that's annoying and fixable.
>
> But there's a big reason to think carefully about whether to do that. 
> If something is old enough that it isn't receiving certificate 
> updates, it probably isn't receiving security updates either. And the 
> same applications and functionality that need current root 
> certificates to work are also likely to be common attack points.
>
> So at the very least, anything that makes it easier to take such a 
> risk should come with a prominent warning, IMO.

Yes: Anyone running Mojave or earlier is not exactly skydiving without a 
parachute, but is doing something close. Perhaps it's akin to skydiving 
with a homemade parachute...

Frankly, I don't think MacPorts should attempt to 'fix' this issue or 
similar future issues diretly, not because it encourages risky behavior 
but because MacPorts should avoid poking around in the MacOS base at all 
where it isn't essential for the operation of MacPorts. It's easy enough 
in principle for MacPorts to stand up and use its own modern OSS-based 
encryption+PKI stack with its own set of trusted CAs (e.g. 
curl-ca-bundle and openssl ports) and so keep itself functional without 
poking around in core functionality of the OS that MacPorts-naive tools 
need to use. People who need to fix the problem of an expired root cert 
should be able to understand and repair that problem (which can be done 
without digging a CA bundle out of a newer system) if they need to, and 
having the issue unaddressed is not itself a security issue, but a 
functionality issue. Anyone who actually wants to run Safari & Chrome on 
an OS that isn't getting basic security maintenance should be thinking 
very carefully about what they are doing and accept responsibility for 
making something work which arguably should no longer work because it is 
too risky.

One risk for MacPorts is a slippery slope created by providing support 
for antique OS versions that include opaque proprietary bits that are 
probably insecure in ways that no one fully understands. If it is taken 
too far (which in my opinion includes fixing core components like PKI) 
MP would be doing a disservice to users who understandably expect a 
"Just Works" experience on a Mac by enabling the continued use of tools 
that could well have permanent unrecognized and mostly invisible 
security flaws.

>> On Oct 29, 2021, at 07:12, René J.V. Bertin <rjvbertin at gmail.com> 
>> wrote:
>>
>> Hi,
>>
>> Users of older Apple OSes that are no longer receiving updates 
>> probably noticed that Safari and Chrome-based browsers no longer 
>> connect to lots of sites because a crucial root certificate has 
>> expired.
>>
>> Answer 1 to 
>> https://apple.stackexchange.com/questions/422332/how-do-i-update-my-root-certificates-on-an-older-version-of-mac-os-e-g-el-capi 
>> provides an easy solution, but you need access to an up-to-date OS 
>> install.
>>
>> These are not proprietary to Apple so I presume it should be possible 
>> to provide the suggested `rootcerts.pem` file via a port - possibly 
>> even install it in the post-activate. I had a look but couldn't find 
>> if such a port already exists. I think it'd help for lots of 
>> people... I'd propose a draft but I'm running 10.9 ... so thanks to 
>> anyone picking this up!
>>
>> R.
>>

-- 
Bill Cole
bill at scconsult.com or billcole at apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire